8 bits

Anybody who's working with Encase knows it's process indicator isn't accurate. You never know how long a process (acquire, verify etc.) wil take. The free Process Monitor of systinternals.com solves this problem.

How does it work

Download the free tool, unzip it and store procmon.exe in the c:\Windows\sytem32 folder

Next time you start to work with Encase, open a dosbox and type "procmon.exe". Process Monitor will now start.

Now add the following details:

Process name is Encase.exe then Include

Click Add and OK

Now, you can exactly see the processes of Encase.

At the moment I'm working on a new forensic tool for Windows, based on strings and SQL. I will write more about this tool in the near future. Last night I did a test by writing a short text and hiding the textfile somewhere in a subfolder.

My tool did find the text string and parsed 2.150.954.083 string elements (that's over two biljon elements!) in 36894.77 seconds (10:14:54 hours), which is certainly not bad.

Of course, there are many tools which can find text strings, but not for windows and not based on SQL.

I'm still workin' on it, but it seems to be possible to pipe the stdin output to logparser.

For example:

strings c:\temp\test.img | logparser "select * from stdin" -o:datagrid

example 2:

netstat -a | logparser "select * from stdin" -i:tsv -iseparator:space -nsep:2 -o:datagrid -fixedsep:off -nskiplines:2

This can have great possibilities and I certainly have to do more research

added March 31:

a real nifty combination: logparser and sed for windows

example:

logparser "select * from file1.csv" -i:TSV | sed "s/\"/ /g"

logparser and gawk for windows

example:

logparser "select * from file1.csv" -i:TSV | gawk {print$1$2$3$4}

With CaineLiveUsb you can boot and investigate devices without a CD-Rom drive (like netbooks etc.).

CAINE (Computer Aided INvestigative Environment) is a GNU/Linux live distribution created by Giancarlo Giustini as a project of Digital Forensics for Interdepartment Center for Research on Security (CRIS), supported by the University of Modena and Reggio Emilia. CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.

Visit the Caine website

PC memory analysis is increasingly important because of ever arising encryption techniques, polymorphic malware etc. Simply pulling the plug of a live machine and investigating the contents of the harddisk is not enough anymore. Here's a short guide how you can do a proper (minimal) analysis of live memory.

Limewire is a peer-to-peer (P2P) application that is based around the Gnutella protocol. The Gnutella protocol is a communication protocol that allows a user to connect to a network with no centralized server, every node in a P2P network can talk to every other node. This allows the community to determine content with no supervision, making it ideal for the trading of illegal material.

Limewire files of interest include: library.dat, createtimes.cache, version.xml, fileurns.cache and limewire.props. Taken together the content of these files will give the investigator a picture of the users’ library, what they downloaded, dates and times, SHA1 values, what the user shared and what not.

Werner Rumpeltesz recently updated his free HTTP Logstat tool (v. 1.2.1). I downloaded it and took it for a test drive. The tool works fine with Windows XP but in my case it crashed under Vista.

With the help of Webmin I downloaded some Apache logfiles of one of my servers.

---

Possible interesting logfiles (Linux server):

/var/log folder:

auth.log (but also auth.log.0, auth.log.1.gz etc.as logfiles are rotating)
daemon.log
mysql.log
syslog
user.log

/var/log/apache2 folder:

access.log (access.log.1, access.log.1.gz etc.)
error.log (error.log.1, error.log.1.gz etc.)

Several other logfiles can exist on a server, as some programs tend to create and maintain their own specific logs.

---

In this testcase, I use HTTP LogStat to study the contents of access.log.2.gz, which I have copied to my local pc:

First thing I do now is change the language of the tool, as German is not my favorite language. Click in Extras to do so.

Now, you have to make a profile for you server.

This seems to be an unnecessary step to take, but the tool doesn't work without a profile.

Now, I can select the logfile I have downloaded from my server (Path / file mask)

After this you can create a report

The tool creates a very clear report. You can find an example here.

The free HTTP LogStat tool is a great help to learn more about your own server or to use in hack investigations.

In December 2008 the sixth edition of the Australian Digital Forensics Conference was being held. Several very interesting presentations are available for download, like:

iPhone Forensics, Forensic Acquisition and Analysis of the TomTom One Satellite Navigation Unit, Extraction of User Activity through Comparison of Windows Restore Points, Email 'Message-IDs' helpful for forensic analysis?, Data Hiding in Windows Executable Files and The Impact of U3 Devices on Forensic Analysis.

You can download the complete proceedings here

Het is mogelijk om met PHP de MD5 hashwaarde van een bestand te berekenen. Dit kan erg handig zijn bij het uploaden van bestanden naar een server, om te controleren of een bestand op de server gewijzigd is, of om te controleren of een bestand na een langere periode nog steeds integer is.

Voorbeeld script:

<?php
$file = 'Outlook1.pst';
echo 'MD5 file hash of ' . $file . ': ' . md5_file($file);
?>

de output is de MD5 hashwaarde.

Als je wilt controleren of een bestand op de server gewijzigd is, dan kun je gebruik maken van het volgende script:

<?php
$file_xls = "test.xls";
$file_md5 = "test.xls.md5"; // Must exists and must be writable for PHP
$md5_new_file = trim(md5_file($file_xls));
$md5_old_file = trim(file_get_contents($file_md5));

if($md5_new_file <> $md5_old_file)
    {
    echo "file is out of date, updating now...";
    rename($file_md5, $file_md5.".bak");
    $fp = fopen($file_md5, 'w');
    fwrite($fp, $md5_new_file);
    fclose($fp);
/*
Here we do some job...
In my case - dealing with "Spreadsheet Excel Reader"
*/
    unlink($file_md5.".bak");
    }
// "Not for crontab" - Remove the following section if you are intending to run it in crontab
else
    {
    echo "file is up to date, nothing to do...";
    }
// End "Not for crontab";
?>

De makers van CCleaner blijken tevens een handig bestandsherstelprogramma'tje gemaakt te hebben genaamd Recuva. Met deze gratis tool voor Windows kun je eenvoudig verwijderde bestanden terug vinden en, als je geluk hebt, herstellen. Ik heb versie 1.20.361 van het programma zojuist geprobeerd en met behulp van de deep scan functie kon ik een hoop verwijderde bestanden vanaf mijn draaiende laptop terug vinden. Het mooie van Recuva is dat het de toestand van een verwijderd bestand aangeeft. Zo kan een bestand nog geheel beschikbaar zijn (excellent) of reeds zwaar overschreven door een ander bestand (poor).

Recuva heeft zijn eigen website, waar je het installatiebestand kunt downloaden.